Windows Hello is described as a more personal way to sign in Windows 10 devices with just a look or a touch. Microsoft claims to enable enterprise-grade security through the process, without having users type-in a password.

Windows 10 incorporates multi-factor authentication technology based upon standards developed by the FIDO Alliance. The operating system includes improved support for biometric authentication through Windows Hello software and devices with supported cameras which allow users to login with face- or iris-recognition.

Devices with supported readers support fingerprint-recognition login. Credentials are stored locally and protected using asymmetric encryption.

The blog notes that Microsoft looks “forward to a Web where the user doesn’t need to remember a password, and the server doesn’t need to store a password in order to authenticate that user. Windows Hello, combined with Web Authentication, enables this vision with biometrics and asymmetric cryptography. In order to authenticate a user, the server sends down a plain text challenge to the browser. Once [we are] able to verify the user through Windows Hello, the system will sign the challenge with a private key previously provisioned for this user and send the signature back to the server. If the server can validate the signature using the public key it has for that user and verify the challenge is correct, it can authenticate the user securely.”

Microsoft notes that the new private keys issued under Windows Hello are stronger credentials because the Windows Hello platform prevents password guessing, phishing, and keylogging, and it is resilient to server database attacks.

Great news about biometric authentication on web from Microsoft with their new web browser edge. I hope this biometric web authentication will not discriminate against some biometric devices but will instead have an API that cuts across all biometric devices that can be used on web.